WTF?! For years, military technologists and outside researchers have warned that the commercial data economy could put US troops in the crosshairs. Those warnings are no longer hypothetical. US Central Command now says adversaries are exploiting commercial location data to track American personnel in active war zones, confirming that the same infrastructure that powers targeted advertising is being used against deployed forces.

In a recently disclosed letter, Centcom said it had received "multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater." It is also the first time the military has formally acknowledged that data broker feeds are being used against US forces in the Middle East.

This acknowledgment comes after nearly a decade of technical alerts, internal demonstrations, and academic work, all pointing to the same problem: off-the-shelf tracking tools can reveal where US service members live, work, train, and even move through sensitive locations.

The core technology is basic adtech rather than anything resembling traditional espionage. Mobile apps collect geolocation and advertising IDs, third-party trackers follow devices across sites and services, and brokers package that data into products they sell to customers.

In 2016, a government technologist walked senior officers through a live example using commercially purchased data. Using data bought on the open market, they tracked phones moving from Fort Bragg and MacDill Air Force Base through Turkey and into northern Syria, where the signals converged on a covert forward operating base. The same feeds were available to any advertiser – or any foreign intelligence service willing to pay.

Even as the risks became clear, parts of the Defense Department chose to become customers of this ecosystem. In 2021, the Defense Intelligence Agency told Congress it was purchasing commercially available phone location data, including data on Americans, without a warrant, stating it could do so because the data was already sold commercially.

Around the same time, reporting showed the military acquiring location data harvested from mainstream consumer apps, effectively plugging commercial telemetry directly into intelligence workflows.

Researchers later tested how easy it would be for a hostile buyer to carry out similar activity. In 2023, a Duke University team working under a grant from the US Military Academy at West Point set out to buy data on American service members the way a foreign adversary might.

They scraped hundreds of broker sites and found thousands of products advertising information on military personnel, including lists labeled "Military Families Mailing List" and "Hard Core Military Families."

In many cases, records cost about 12 cents each, and brokers required little or no verification. The researchers were able to obtain names, addresses, health information, and financial details on active-duty troops. Using a Singapore-based domain, they also obtained geofenced data tied to installations such as Fort Bragg and Quantico; one broker even offered to skip identity checks in exchange for wire transfer payments.

The same kinds of profiles and audience segments have been visible inside major ad platforms. Working with data from the Irish Council for Civil Liberties, investigators found audience "segments" available through Google's Display & Video 360 that singled out US government employees described as "decision-makers" in national security roles, as well as workers at firms licensed to build missiles, launch vehicles, and cryptographic systems.

Previous reporting had already shown how much operational detail can be exposed once this data is accessible. In late 2024, journalists working with German outlets obtained a "free sample" from a Florida broker: 3.6 billion location points tied to about 11 million phones in Germany over two months.

Buried in that dataset were 12,313 devices that had passed through at least 11 US installations, from the Army's European headquarters in Wiesbaden to schools serving military families. Reporters traced phones inside Büchel Air Base, where US nuclear weapons are believed to be stored, and followed others as they moved through an armored-vehicle training area at Grafenwöhr, a site that alleged saboteurs had reportedly scouted months earlier.

The Army's own cyber researchers have been documenting how deeply commercial trackers have penetrated its networks. A technical report from the Army Cyber Institute at West Point in May 2025 found that more than 20% of the most-visited domains on the service's stateside unclassified networks were commercial tracking sites, and concluded that countermeasures would be relatively cheap and straightforward.

It recommended tightening browser policies, specifically calling out Google Chrome as the only major browser that had refused to block third-party cookies used for cross-site tracking.

Lawmakers are now leaning on those findings. A bipartisan letter signed by 14 members of Congress and obtained by Wired accuses the Pentagon of knowing about these threats for more than a decade yet failing to adopt "commonsense cyber defenses" proposed by its own experts.

Members of Congress also want to know what the department has done with a 2017 law that authorizes special cyber protections for personnel judged "highly vulnerable" to attack. One detail in particular has drawn criticism: Centcom only rolled out the ability to disable location sharing on government smartphones this month, roughly 10 years after the first warning.

At the same time, the Army has told soldiers to transition to using their own phones for work through a new mobility program, saying official access is confined to a secure app while leaving the rest of each device in the commercial data stream.

The Pentagon has not explained in public how it will respond to its reliance on commercial tracking infrastructure, even as adversaries learn to weaponize the same tools. What has changed is that the risk is no longer theoretical. The same systems built to follow consumers around the internet are now, by the department's own account, tracking US troops on the battlefield.